Finding Description

company was able to determine that several forms under the /adminconsoleapp/js/adminconsole/template/ path is not required for users and access should be restricted on the path. These paths might lead to potential vulnerability Cross-Site Request Forgery (CSRF).

Impact

This vulnerability can allow a malicious attacker to trick an authenticated user by sending a malicious form that could perform actions within the application without the user’s knowledge or permission. Since the SameSite attribute is not effectively used by all browsers, it is not a 100% effective countermeasure.

Systems Affected

URL’s:

·        https://<ip>/adminconsoleapp/js/adminconsole/template/archiveCredentials.html

·        https://i<ip>/adminconsoleapp/js/adminconsole/template/archiveImportPackageDialog.html

·        https://<ip>/adminconsoleapp/js/adminconsole/template/editProbeRawConfigKeyValue.html

·        https:/<ip>/adminconsoleapp/js/adminconsole/template/editProbeRawConfigSection.html

·        https://<ip>/adminconsoleapp/js/adminconsole/template/hubLicense.html

·        https://<ip>/adminconsoleapp/js/adminconsole/template/probeSecurityNew.html

·        https://<ip>/adminconsoleapp/js/adminconsole/template/probeUtilityParameters.html

·        https://<ip>/adminconsoleapp/js/adminconsole/template/probeUtilityTimeoutDialog.html

·        https://<ip>/adminconsoleapp/js/adminconsole/template/userForm.html

Recommendation

Solutions could include removing the /template folder, or implementing proper session validation techniques such as:

·        Include other tokens within a hidden form field or in a custom HTTP request header via JavaScript which is randomly generated for each session and can be validated on the server-side of the application.  

·        Checking the origin and referrer headers to make sure that they match the expected values for the domain of the originating site.